Windows Event ID 4766: An attempt to add SID History to an account failed
Windows Security Event ID 4766 records a failed attempt to add a SID to the SID History attribute of an Active Directory account, logging the Subject who attempted the change, the Target Account to be modified, and the Source Account whose SID was to be injected.
- Applicable version
- Windows Server 2008 R2 and later
- Last reviewed
- 2026-07-12
Trigger Scenarios
SID History additions are a specialized migration operation requiring domain-level privilege. A failed attempt is generated when an attacker lacks the necessary rights, when SID filtering blocks the attempted cross-forest SID, or when a deliberate probe tests whether the operation would succeed before attempting it with different credentials.
Key Fields
Target Account\Account Name / Security ID
The account that was the intended recipient of the injected SID. Targeting a highly-privileged account (Domain Admins member, Krbtgt, or an admin service account) signals an attempt to grant that account the access rights of the Source Account's SID.
Source Account\Account Name
The account whose SID was to be injected into Target Account's SID History. If Source Account Name belongs to a domain admin, Enterprise Admin, or a privileged service account in another domain, the attacker intended to grant Target Account those cross-domain rights silently.
Subject\Account Name / Security ID
The identity that attempted the modification. This event fires because the attempt failed, so Subject may be a low-privilege account probing the operation; cross-reference with any 4765 (success) records nearby to check whether a subsequent attempt with elevated credentials succeeded.
Common False Positives
- Active Directory migration tools (Quest Migration Manager, ADMT) legitimately write SID History during planned forest migrations and will generate 4766 during configuration testing if privileges are not yet in place.
- Accidental permission misconfigurations during migration projects can cause expected failures from authorized tools.
Related Events
MITRE ATT&CK Mapping
- T1134.005Access Token Manipulation: SID-History Injection
Detection Notes
Event 4766 has no status or failure-code field. Treat a Source Account from a different domain or a privileged name such as Enterprise Admins, followed by a matching 4765 for the same Target Account within 60 minutes, as a T1134.005 SID-History Injection probe and retry sequence. Use window=60 minutes to correlate a failed 4766 with a subsequent 4765.
SecurityEvent
| where EventID in (4766, 4765)
| project TimeGenerated, Computer, EventID, SubjectUserName, TargetUserName, SubjectUserSid
| order by TimeGenerated ascindex=wineventlog EventCode IN (4766, 4765)
| table _time, host, EventCode, SubjectUserName, TargetUserNameSubject:
Security ID: CORP\lowpriv
Account Name: lowpriv
Account Domain: CORP
Logon ID: 0x91A2F0
Target Account:
Security ID: CORP\svc-ops
Account Name: svc-ops
Account Domain: CORP
Source Account:
Account Name: Enterprise Admins
Additional Information:
Privileges: -